A Spreadsheet Formula Injection is a flaw that affects apps that export spreadsheet files that are put thegither on the fly frae no' weel-checked input data. When it's injected, it can cause bother for the folk using the exported spreadsheet files. If someone manages tae exploit this, it could lead tae things like sneakin' commands intae the client side, runnin' code, or stealin' away secret data.
Steps
Product: PeopleSoft Enterprise PeopleTools – Versions 8.56, 8.57 & 8.58
1. Log into the Oracle PeopleSoft Enterprise PeopleTools – HRMS app wi' yer proper login details.
2. Gae tae Workforce Administration>Personal Information>Modify a Person an' click Search tae show the user profile.
3. Noo, change the name o' the user wi' a dodgy CSV injection payload an' Save.
4. Gae tae Reports>Administration>Reimbursement Reports>Employee telephone details.
5. Click the CSV text file tae download it. When the user opens the file, the CSV injection payload will kick in efter clearin' the warnin' fae Microsoft Excel.
6. Click Aye 5 times. This will open 5 command prompt windaes in the user's system an' CMD will start pinging the com.
_____________
CVE-2020-2782
Injection Vulnerability in Oracle PeopleSoft
- Cyber Arch
- Posts: 58
- Joined: Mon Mar 18, 2024 5:57 am